All Apps and Add-ons

Okta Alert Actions (oktaGroupMemberChange)

brettwilliams
Path Finder

This doesn't seem to work...  we've followed the instructions provided with the TA, but we're getting errors output from the scripts to the effect of basic tokens missing.  Also reaching out to Okta support directly.

 

 

2020-07-10 15:33:13,487 ERROR pid=21467 tid=MainThread file=setup_util.py:log_error:110 | Credential account with username <our okta> can not be found

 

Yeah, we have this configured.

 

 

2020-07-10 15:33:13,487 DEBUG pid=21467 tid=MainThread file=cim_actions.py:message:424 | sendmodaction - worker="$HOSTNAME" signature="_okta_client Invoked with a url of: https://<our okta>/api/v1/groups/<group>/users/<user>" action_name="oktaGroupMemberChange" search_name="<search name>" sid="scheduler__admin_VEEtT2t0YV9JZGVudGl0eV9DbG91ZF9mb3JfU3BsdW5r__RMD5784129dd80607623_at_1594409520_68739" rid="6" app="TA-Okta_Identity_Cloud_for_Splunk" user="admin" digest_mode="0" action_mode="saved"

 

OK, seems normal to me.  It attempts the API call, but what does cim_actions have to do with it?  Yes, we have CIM installed, and the add-on is good for all versions.

 

 

2020-07-10 15:33:13,487 ERROR pid=21467 tid=MainThread file=cim_actions.py:message:424 | sendmodaction - worker="$HOSTNAME" signature="Error: 'NoneType' object has no attribute '__getitem__'. Please double check spelling and also verify that a compatible version of Splunk_SA_CIM is installed." action_name="oktaGroupMemberChange" search_name="<search name>" sid="scheduler__admin_VEEtT2t0YV9JZGVudGl0eV9DbG91ZF9mb3JfU3BsdW5r__RMD5784129dd80607623_at_1594409520_68739" rid="6" app="TA-Okta_Identity_Cloud_for_Splunk" user="admin" digest_mode="0" action_mode="saved" action_status="failure"

 

NoneType has no attribute.  Even more vague.

 

 

2020-07-10 15:33:14,370 INFO pid=21898 tid=MainThread file=cim_actions.py:message:424 | sendmodaction - worker="$HOSTNAME" signature="Invoking modular action" action_name="oktaGroupMemberChange" search_name="<search name>" sid="scheduler__admin_VEEtT2t0YV9JZGVudGl0eV9DbG91ZF9mb3JfU3BsdW5r__RMD5784129dd80607623_at_1594409580_68741" rid="1" app="TA-Okta_Identity_Cloud_for_Splunk" user="admin" digest_mode="0" action_mode="saved"

 

Then it goes ahead and tries to call the modular action anyway.

 

 

07-10-2020 15:39:23.653 -0400 ERROR SearchScheduler - Error in 'sendalert' command: Alert script returned error code 4., search='sendalert oktaGroupMemberChange results_file="/opt/splunk/var/run/splunk/dispatch/scheduler__admin_VEEtT2t0YV9JZGVudGl0eV9DbG91ZF9mb3JfU3BsdW5r__RMD5784129dd80607623_at_1594409940_68784/per_result_alert/tmp_1.csv.gz" results_link="https://<our search head>/app/TA-Okta_Identity_Cloud_for_Splunk/search?q=%7Cloadjob%20scheduler__admin_VEEtT2t0YV9JZGVudGl0eV9DbG91ZF9mb3JfU3BsdW5r__RMD5784129dd80607623_at_1594409940_68784%20%7C%20head%202%20%7C%20tail%201&earliest=0&latest=now"'

 

Error code 4...  nothing more than that.  The part of the script where that error is thrown is related to gathering parameters.  I suspect that maybe this is implemented, but never tested or confirmed to work.  But I could be wrong...

Labels (2)
Tags (2)
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...